The Lazarus group has tweaked its loader obfuscation techniques by abusing image files in a recent phishing campaign.
Lazarus is a state-sponsored advanced persistent threat (APT) group from North Korea.
Known as one of the most prolific and sophisticated APTs out there, Lazarus has been in operation for over a decade and is considered responsible for worldwide attacks including the WannaCry ransomware outbreak, bank thefts, and assaults against cryptocurrency exchanges.
In a campaign documented by Malwarebytes on April 13, a phishing document attributed to Lazarus revealed the use of an interesting technique designed to obfuscate payloads in image files.
The attack chain begins with a phishing Microsoft Office document (참가신청서양식.doc) and a lure in the Korean language. Intended victims are asked to enable macros in order to view the file’s content, which, in turn, triggers a malicious payload.
The macro brings up a pop-up message which claims to be an old version of Office, but instead, calls an executable HTA file compressed as a zlib file within an overall PNG image file.
During decompression, the PNG is converted to the BMP format, and once triggered, the HTA drops a loader for a Remote Access Trojan (RAT), stored as “AppStore.exe” on the target machine.
“This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images,” the researchers say. “The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.”
The RAT is able to link up to a command-and-control (C2) server, receive commands, and drop shellcode. Communication between the malware and C2 is base64 encoded and encrypted using a custom encryption algorithm that has previously been linked to Lazarus’ Bistromath RAT.
In related news, Google’s Threat Analysis Group (TAG) warned earlier this month that North Korean threat actors are targeting security researchers across social media. First spotted in January, the scheme now includes a web of sham profiles, browser exploits, and a fake offensive security company.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0